CVE-2025-67254 – NagiosXI 2026R1.0.1 build 1762361101 contains a... (How to Fix)

📋 TL;DR

NagiosXI 2026R1.0.1 build 1762361101 contains a directory traversal vulnerability in /admin/coreconfigsnapshots.php that allows attackers to access files outside the intended directory. This affects NagiosXI administrators and potentially exposes sensitive system files. The vulnerability requires administrative access to exploit.

💻 Affected Systems

Products:

NagiosXI

Versions: 2026R1.0.1 build 1762361101

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to NagiosXI web interface to exploit the vulnerability.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with admin credentials could read sensitive system files like /etc/passwd, configuration files, or application secrets, potentially leading to privilege escalation or further system compromise.

🟠

Likely Case

Malicious administrators or compromised admin accounts could access sensitive configuration files, potentially exposing credentials or system information.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrators who should already have access to sensitive files.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.nagios.org/

Restart Required: No

Instructions:

1. Monitor Nagios official channels for security updates
2. Apply vendor patch when available
3. Verify fix by testing the vulnerable endpoint

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to NagiosXI to only trusted personnel and implement strong authentication controls.

Web Application Firewall Rules

all

Implement WAF rules to block directory traversal patterns in requests to /admin/coreconfigsnapshots.php.

🧯 If You Can't Patch

Implement strict access controls and monitor admin user activity
Restrict file system permissions for the NagiosXI web application user

🔍 How to Verify

Check if Vulnerable:

Test if authenticated admin user can access files outside web root via /admin/coreconfigsnapshots.php with traversal sequences.

Check Version:

Check NagiosXI version in web interface or via system package manager

Verify Fix Applied:

Test the same traversal attempts after applying vendor patch or workarounds to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Multiple failed traversal attempts
Access to /admin/coreconfigsnapshots.php with traversal sequences

Network Indicators:

HTTP requests containing ../ or similar traversal patterns to the vulnerable endpoint

SIEM Query:

web.url:*coreconfigsnapshots.php* AND (web.url:*../* OR web.url:*..\*)

📊 Metadata

CVE ID: CVE-2025-67254

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 4.41% exploit probability (88.8th percentile)

Published: December 29, 2025

Last Updated: January 15, 2026

🔗 References

https://github.com/YongYe-Security/NagiosXI/tree/main Broken Link
https://www.nagios.org/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67254, you might also want to check these: